CVE-2026-45334

CVE-2026-45334CVE-2026-45334

Description

Kirby is an open-source content management system. In versions prior to 4.9.1 and 5.4.1, the content-locking feature returned lock information without checking the requesting user's access permissions. Kirby's Panel includes a content-locking feature that records which user currently has a model open for editing. This lock prevents conflicting edits by multiple users and displays the locking user's identity in the Panel UI so other users know who to contact. Internally, the locking user's email address and identifier are included in every Panel view payload and in error responses returned when a user attempts to edit a model that is currently locked by another user. This allowed a low-privilege authenticated Panel user, whose role was configured with users.access: false or users.list: false, to learn the email address and identifier of any user who currently had a model open for editing in the Panel, including administrators and other higher-privilege users. Content locks are active fo

Scoring

Last modified2026-07-16
Sourced from NVD. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.
CVE-2026-45334: CVE-2026-45334 | SQUR KB